[strongSwan] Challenges with MacOS Roadwarrior

Tom Rymes trymes at rymes.com
Thu Jan 25 22:40:50 CET 2018


I have spent a fair amount of time lurking and searching for the answers 
to this, and I am fairly certain that I have overlooked something basic, 
such as putting the right data in the proper SAN. Unfortunately, the 
learning curve here seems to be quite steep, and I am not keeping up.

Regardless, I cannot get a working RW connection to a MacOS client using 
machine certs. Windows 10 works just fine.

I have tried various combinations of leftid and rightid, along with 
adding different things to the SAN field of the responder's cert, but 
nothing so far has done the trick.

I did notice lines similar to these when trying various different rightids:

"id '%any' not confirmed by certificate, defaulting to 'C=US, ST=ST, 
O=MyOrg, OU=Engineering Dept., CN=RW'"

Can someone please (gently) point out the dumb mistake I have been making?

The error indicates that StrongSwan (5.6.1) cannot find a valid peer 
config, which is why I have been trying to fiddle with the left/rightid 
and the cert SANs.

Many thanks,

Tom

PS: I am attempting to make this work using the built-in VPN client on 
MacOS 10.11 - without importing a special configuration file, just using 
System Preferences.

Error:
Jan 25 14:48:06 myhost charon: 09[NET] received packet: from 
x.x.x.x[500] to y.y.y.y[500] (604 bytes)
Jan 25 14:48:06 myhost charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jan 25 14:48:06 myhost charon: 09[IKE] x.x.x.x is initiating an IKE_SA
Jan 25 14:48:06 myhost charon: 09[IKE] x.x.x.x is initiating an IKE_SA
Jan 25 14:48:06 myhost charon: 09[IKE] remote host is behind NAT
Jan 25 14:48:06 myhost charon: 09[IKE] sending cert request for "C=US, 
ST=ST, L=TownA, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA, E=me at domain.dom"
Jan 25 14:48:06 myhost charon: 09[IKE] sending cert request for "C=US, 
ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., CN=MyOrg CA, E=me at domain.dom"
Jan 25 14:48:06 myhost charon: 09[ENC] generating IKE_SA_INIT response 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Jan 25 14:48:06 myhost charon: 09[NET] sending packet: from y.y.y.y[500] 
to x.x.x.x[500] (493 bytes)
Jan 25 14:48:06 myhost charon: 11[NET] received packet: from 
x.x.x.x[4500] to y.y.y.y[4500] (512 bytes)
Jan 25 14:48:06 myhost charon: 11[ENC] unknown attribute type (25)
Jan 25 14:48:06 myhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 
DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 25 14:48:06 myhost charon: 11[CFG] looking for peer configs matching 
y.y.y.y[@myhost.domain.dom]...x.x.x.x[me at domain.dom]
Jan 25 14:48:06 myhost charon: 11[CFG] no matching peer config found
Jan 25 14:48:06 myhost charon: 11[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 25 14:48:06 myhost charon: 11[IKE] peer supports MOBIKE
Jan 25 14:48:06 myhost charon: 11[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Jan 25 14:48:06 myhost charon: 11[NET] sending packet: from 
y.y.y.y[4500] to x.x.x.x[4500] (80 bytes)

Config:

version 2

conn %default
         keyingtries=%forever

include /etc/ipsec.user.conf

conn RW2
         left=y.y.y.y
         leftsubnet=0.0.0.0/0
         leftsendcert=always
         leftallowany=yes
         rekey=no
         leftfirewall=yes
         lefthostaccess=yes
         right=%any
         leftcert=/var/ipfire/certs/hostcert.pem
         rightcert=/var/ipfire/certs/RW2cert.pem
 
ike=aes256-sha2_256-modp1024,aes192-sha2_256-modp1024,aes128-sha2_256-modp1024
 
esp=aes256-sha2_256-modp1024,aes192-sha2_256-modp1024,aes128-sha2_256-modp1024
         keyexchange=ikev2
         ikelifetime=3h
         keylife=1h
         dpdaction=clear
         dpddelay=30
         dpdtimeout=90
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         auto=add
         rightsourceip=10.100.2.200/21
         fragmentation=yes

StrongSwan's Cert:

	Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., 
CN=MyOrg CA/emailAddress=me at domain.dom
         Validity
             Not Before: Jan 25 18:19:07 2018 GMT
             Not After : Dec 22 18:19:07 4755 GMT
         Subject: C=US, ST=ST, O=MyOrg, OU=Engineering Dept., 
CN=myhost.domain.dom
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     <snip>
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 3D:37:14:B8:B4:6A:AD:44:D2:C2:66:BE:10:6B:99:E1:95:29:CD:9D
             X509v3 Authority Key Identifier:
 
keyid:53:89:48:5A:AD:A2:81:01:DC:C9:0B:F6:15:25:78:9C:96:AA:5E:73
                 DirName:/C=US/ST=ST/L=TownB/O=MyOrg/OU=Engineering 
Dept./CN=MyOrg CA/emailAddress=me at domain.dom
                 serial:CA:95:8A:1F:26:B5:A1:D7

             X509v3 Extended Key Usage:
                 TLS Web Server Authentication
             X509v3 Subject Alternative Name:
                 DNS:myhost.domain.dom, DNS:y.y.y.y, IP Address:y.y.y.y
     Signature Algorithm: sha256WithRSAEncryption
	<snip>

Mac Client's Cert:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=ST, L=TownB, O=MyOrg, OU=Engineering Dept., 
CN=MyOrg CA/emailAddress=me at domain.dom
         Validity
             Not Before: Jan 25 20:18:53 2018 GMT
             Not After : Dec 22 20:18:53 4755 GMT
         Subject: C=US, ST=ST, O=MyOrg, OU=Engineering Dept., 
CN=Roadwarrior User
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     <snip>
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 AC:29:A4:81:79:B7:1D:4C:BE:0F:DB:9F:8B:CC:AE:26:13:D3:82:73
             X509v3 Extended Key Usage:
                 TLS Web Client Authentication
             X509v3 Authority Key Identifier:
 
keyid:53:89:48:5A:AD:A2:81:01:DC:C9:0B:F6:15:25:78:9C:96:AA:5E:73
                 DirName:/C=US/ST=ST/L=TownB/O=MyOrg/OU=Engineering 
Dept./CN=MyOrg CA/emailAddress=me at domain.dom
                 serial:CA:95:8A:1F:26:B5:A1:D7

             X509v3 Subject Alternative Name:
                 email:me at domain.dom
     Signature Algorithm: sha256WithRSAEncryption
	<snip>



More information about the Users mailing list